Better Robustness by More Coverage: Adversarial Training with Mixup Augmentation for Robust Fine-tuning

TL;DR

This paper introduces AMDA, a novel data augmentation method combining adversarial training with mixup to enhance the robustness of pretrained language models against adversarial attacks, showing significant improvements in experiments.

Contribution

The paper proposes AMDA, a new augmentation technique that interpolates between training samples to better cover attack space and improve model robustness.

Findings

AMDA significantly improves adversarial robustness of BERT and RoBERTa.

AMDA alleviates performance degradation on clean data.

The method outperforms traditional adversarial data augmentation.

Abstract

Pretrained language models (PLMs) perform poorly under adversarial attacks. To improve the adversarial robustness, adversarial data augmentation (ADA) has been widely adopted to cover more search space of adversarial attacks by adding textual adversarial examples during training. However, the number of adversarial examples for text augmentation is still extremely insufficient due to the exponentially large attack search space. In this work, we propose a simple and effective method to cover a much larger proportion of the attack search space, called Adversarial and Mixup Data Augmentation (AMDA). Specifically, AMDA linearly interpolates the representations of pairs of training samples to form new virtual samples, which are more abundant and diverse than the discrete text adversarial examples in conventional ADA. Moreover, to fairly evaluate the robustness of different models, we adopt a challenging evaluation setup, which generates a new set of adversarial examples targeting each model. In text classification experiments of BERT and RoBERTa, AMDA achieves significant robustness gains under two strong adversarial attacks and alleviates the performance degradation of ADA on the clean data. Our code is available at: https://github.com/thunlp/MixADA .